Re: Validating certificate chain of SMTP TLS connections using privately-issued CA certs
On 3/15/22 19:16, Thomas Bohl wrote: > >>> IIUC the client server needs the CA Certificate that was used to >>> generate the SMTP-server Certificate in its /etc/ssl/cert.pem (on >>> OpenBSD). >> >> Thanks. I did try this but it's still not working out. >> > >> Download the server certificate and append it to our /etc/ssl/certs.pem >> >> client# scp relay-server:/etc/ssl/server.crt /tmp/ >> client# file /tmp/server.crt >> /tmp/server.crt: PEM certificate >> client# cat /tmp/server.crt >> /etc/ssl/certs.pem > > Not the cert of the server but, like he said, the CACert.pem > > (And now you have to do that every time you update the system. Just go > with free "ACME certificate".) OpenSMTPD should provide a way to specify the CA bundle used to validate an individual connection. -- Sincerely, Demi Marie Obenour (she/her/hers) OpenPGP_0xB288B55FFF9C22C1.asc Description: OpenPGP public key OpenPGP_signature Description: OpenPGP digital signature
Re: Validating certificate chain of SMTP TLS connections using privately-issued CA certs
IIUC the client server needs the CA Certificate that was used to generate the SMTP-server Certificate in its /etc/ssl/cert.pem (on OpenBSD). Thanks. I did try this but it's still not working out. Download the server certificate and append it to our /etc/ssl/certs.pem client# scp relay-server:/etc/ssl/server.crt /tmp/ client# file /tmp/server.crt /tmp/server.crt: PEM certificate client# cat /tmp/server.crt >> /etc/ssl/certs.pem Not the cert of the server but, like he said, the CACert.pem (And now you have to do that every time you update the system. Just go with free "ACME certificate".)
Re: Validating certificate chain of SMTP TLS connections using privately-issued CA certs
On Tue, Mar 15, 2022 at 05:11:14PM +0100, Marcus MERIGHI wrote: >Hello, > >rea...@catastrophe.net (rea...@catastrophe.net), 2022.03.15 (Tue) 00:27 (CET): >> On Tue, Mar 15, 2022 at 09:40:34AM +1100, Dipesh Sharma wrote: >> >Did you try the 'tls no-verify' option described here: >> >https://man.openbsd.org/smtpd.conf#tls ? If you are sure that some host >> >under example.com is talking to the correct mail.example.com host, it is OK >> >to skip the certificate verification. >> >> I did not as that is not what I'm hoping to do. >> >> Instead I'd like to verify the servers certificate is signed by a CA >> whose certificate is on the client machine. > >IIUC the client server needs the CA Certificate that was used to >generate the SMTP-server Certificate in its /etc/ssl/cert.pem (on >OpenBSD). Thanks. I did try this but it's still not working out. My configuration: client# cat /etc/mail/smtpd.conf table aliases file:/etc/mail/aliases listen on socket listen on lo0 action "local_mail" maildir alias action "outbound" relay host smtp://relay-server.example.org match for local action "local_mail" match for any action "outbound" Download the server certificate and append it to our /etc/ssl/certs.pem client# scp relay-server:/etc/ssl/server.crt /tmp/ client# file /tmp/server.crt /tmp/server.crt: PEM certificate client# cat /tmp/server.crt >> /etc/ssl/certs.pem Restart smtpd then send a test message client# rcctl restart smtpd client# echo "test" | mail -s Test recipi...@example.org Logs show smtp becomes smtp+notls client# tail -f /var/log/maillog [..] Mar 15 15:54:08 client smtpd[87731]: 329936c19282523c mta connecting address=smtp://192.168.1.1:25 host=relay-server.example.org Mar 15 15:54:08 client smtpd[87731]: 329936c19282523c mta connected Mar 15 15:54:08 client smtpd[87731]: smtp-out: Error on session 329936c19282523c: opportunistic TLS failed, downgrading to plain Mar 15 15:54:08 client smtpd[87731]: 329936c19282523c mta connecting address=smtp+notls://192.168.1.1:25 host=relay-server.example.org Mar 15 15:54:08 client smtpd[87731]: 329936c19282523c mta connected Mar 15 15:54:09 client smtpd[87731]: 329936c19282523c mta delivery evpid=5141efe410221a1f from= to= rcpt=<-> source="192.168.1.9" relay="192.168.1.1 (relay-server.example.org)" delay=1s result="Ok" stat="250 2.0.0 e6ec7840 Message accepted for delivery"
Re: Validating certificate chain of SMTP TLS connections using privately-issued CA certs
Hello, rea...@catastrophe.net (rea...@catastrophe.net), 2022.03.15 (Tue) 00:27 (CET): > On Tue, Mar 15, 2022 at 09:40:34AM +1100, Dipesh Sharma wrote: > >Did you try the 'tls no-verify' option described here: > >https://man.openbsd.org/smtpd.conf#tls ? If you are sure that some host > >under example.com is talking to the correct mail.example.com host, it is OK > >to skip the certificate verification. > > I did not as that is not what I'm hoping to do. > > Instead I'd like to verify the servers certificate is signed by a CA > whose certificate is on the client machine. IIUC the client server needs the CA Certificate that was used to generate the SMTP-server Certificate in its /etc/ssl/cert.pem (on OpenBSD). Marcus
Re: Validating certificate chain of SMTP TLS connections using privately-issued CA certs
On Tue, Mar 15, 2022 at 09:40:34AM +1100, Dipesh Sharma wrote: >Did you try the 'tls no-verify' option described here: >https://man.openbsd.org/smtpd.conf#tls ? If you are sure that some host >under example.com is talking to the correct mail.example.com host, it is OK >to skip the certificate verification. I did not as that is not what I'm hoping to do. Instead I'd like to verify the servers certificate is signed by a CA whose certificate is on the client machine.
Re: Validating certificate chain of SMTP TLS connections using privately-issued CA certs
Did you try the 'tls no-verify' option described here: https://man.openbsd.org/smtpd.conf#tls ? If you are sure that some host under example.com is talking to the correct mail.example.com host, it is OK to skip the certificate verification. Thanks, Dipesh On Tue, Mar 15, 2022 at 7:18 AM wrote: > A private CA has issued server certs to mail.example.org. However, when > smtpd from another server in the example.org domain connects to > mail.example.org, TLS validation fails and the message exchange falls back > to smtp+notls > > Is there way to add a cert chain somewhere that smtpd will do a chain > lookup > in order to trust the TLS connection? > > The following log messages show the error: > > Mar 14 15:00:32 server smtpd[73240]: e415a0d39ccaa8a6 mta connected > Mar 14 15:00:32 server smtpd[73240]: smtp-out: Error on session > e415a0d39ccaa8a6: opportunistic TLS failed, downgrading to plain > Mar 14 15:00:32 server smtpd[73240]: e415a0d39ccaa8a6 mta connecting > address=smtp+notls://100.64.10.1:25 host=mail.example.org > Mar 14 15:00:32 server smtpd[73240]: e415a0d39ccaa8a6 mta connected Mar 14 > 15:00:32 server smtpd[73240]: e415a0d39ccaa8a6 mta delivery > evpid=6ad1c44d48964de8 from= to= > rcpt=<-> source="100.64.10.9" relay="100.64.10.1 > (mail.example.org)" delay=42s result="Ok" stat="250 2.0.0 180e8af2 > Message accepted for delivery" > > Thanks in advance. > >
Validating certificate chain of SMTP TLS connections using privately-issued CA certs
A private CA has issued server certs to mail.example.org. However, when smtpd from another server in the example.org domain connects to mail.example.org, TLS validation fails and the message exchange falls back to smtp+notls Is there way to add a cert chain somewhere that smtpd will do a chain lookup in order to trust the TLS connection? The following log messages show the error: Mar 14 15:00:32 server smtpd[73240]: e415a0d39ccaa8a6 mta connected Mar 14 15:00:32 server smtpd[73240]: smtp-out: Error on session e415a0d39ccaa8a6: opportunistic TLS failed, downgrading to plain Mar 14 15:00:32 server smtpd[73240]: e415a0d39ccaa8a6 mta connecting address=smtp+notls://100.64.10.1:25 host=mail.example.org Mar 14 15:00:32 server smtpd[73240]: e415a0d39ccaa8a6 mta connected Mar 14 15:00:32 server smtpd[73240]: e415a0d39ccaa8a6 mta delivery evpid=6ad1c44d48964de8 from= to= rcpt=<-> source="100.64.10.9" relay="100.64.10.1 (mail.example.org)" delay=42s result="Ok" stat="250 2.0.0 180e8af2 Message accepted for delivery" Thanks in advance.